{
	"id": "cf656ac7-6def-455d-8cd8-4cd2fd226eb9",
	"created_at": "2026-04-06T00:16:49.45657Z",
	"updated_at": "2026-04-10T03:28:20.900707Z",
	"deleted_at": null,
	"sha1_hash": "bf1fd35150ff85d9485d0bb4290ca770f20005dd",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47317,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 14:07:06 UTC\nHome \u003e List all groups \u003e ShaggyPanther\n APT group: ShaggyPanther\nNames ShaggyPanther (Kaspersky)\nCountry China\nMotivation Information theft and espionage\nFirst seen 2018\nDescription\n(Kaspersky) We first discussed ShaggyPanther, a previously unseen malware and intrusion set\ntargeting Taiwan and Malaysia, in a private report in January 2018. Related activities date back\nto more than a decade ago, with similar code maintaining compilation timestamps from 2004.\nSince then, ShaggyPanther activity has been detected in several more locations: most recently\nin Indonesia in July, and – somewhat surprisingly – in Syria in March. The newer 2018 and\n2019 backdoor code maintains a new layer of obfuscation and no longer maintains clear-text\nC2 strings. Since our original release, we have identified an initial server-side infection vector\nfrom this actor, using SinoChopper/ChinaChopper, a commonly used web shell shared by\nmultiple Chinese-speaking actors. SinoChopper not only performs host identification and\nbackdoor delivery but also email archive theft and additional activity. Although not all\nincidents can be traced back to server-side exploitation, we did detect a couple of cases and\nobtained information about their staged install process. In 2019, we observed ShaggyPanther\ntargeting Windows servers.\nObserved\nSectors: Government.\nCountries: Indonesia, Malaysia, Syria, Taiwan.\nTools used China Chopper.\nInformation Last change to this card: 14 April 2020\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=957ca760-b50a-4d6d-a4d5-72dcdc3737e3\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=957ca760-b50a-4d6d-a4d5-72dcdc3737e3\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=957ca760-b50a-4d6d-a4d5-72dcdc3737e3"
	],
	"report_names": [
		"showcard.cgi?u=957ca760-b50a-4d6d-a4d5-72dcdc3737e3"
	],
	"threat_actors": [
		{
			"id": "9443573a-7ebc-4fd3-869f-b9c820c152d8",
			"created_at": "2022-10-25T16:07:24.175377Z",
			"updated_at": "2026-04-10T02:00:04.889801Z",
			"deleted_at": null,
			"main_name": "ShaggyPanther",
			"aliases": [],
			"source_name": "ETDA:ShaggyPanther",
			"tools": [
				"CHINACHOPPER",
				"China Chopper",
				"SinoChopper"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "dcf74886-fda8-4268-905a-3515ead0ab42",
			"created_at": "2024-02-06T02:00:04.127333Z",
			"updated_at": "2026-04-10T02:00:03.574562Z",
			"deleted_at": null,
			"main_name": "ShaggyPanther",
			"aliases": [],
			"source_name": "MISPGALAXY:ShaggyPanther",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434609,
	"ts_updated_at": 1775791700,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bf1fd35150ff85d9485d0bb4290ca770f20005dd.pdf",
		"text": "https://archive.orkl.eu/bf1fd35150ff85d9485d0bb4290ca770f20005dd.txt",
		"img": "https://archive.orkl.eu/bf1fd35150ff85d9485d0bb4290ca770f20005dd.jpg"
	}
}